As you can see from the TCP stream the GET request for flow339.php returned an iframe containing a URL for a RIG exploit kit landing page. It also contained the following string at the very bottom:

If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html

More on this string later….

The host is then sent the Flash exploit and the malware payload. The malware payload was dropped and executed in %TEMP%. Below is an image of multiple malware payloads (I received numerous identical payloads as the page refreshed itself numerous times):

The various file system and registry IOCs confirmed that the malware payload was Ramnit banking Trojan.

I then decided to do some additional digging to see if I could figure out what campaign this was coming from. That is when I found an article written on March 21st, 2017, by Jérôme Segura over at Malwarebytes Labs. The article was entitled “Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign” and in the article Jérôme talked about malvertising activity originating from various adult websites.

Jérôme also mentioned that their honeypot caught Ramnit payloads coming from this malvertising campaign. An interesting note about their investigation is that they documented TDSs (Traffic Distribution System) being used in this malvertising campaign.

Below is an image from Jérôme’s post on March 21st, 2017:

Figure 2

You’ll notice that their Fiddler session captures the same exact string that I discussed earlier in the post. For example, you’ll see “If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html” at the bottom of the image. The traffic and payload (Ramnit) seems to match the campaign that they discovered.

BroadAnalysis had also sent me a DM with a link to an article entitled “Seamless Campaign Delivers Ramnit via Rig EK.” The article is written by Andrea Scarfo, Brad Antoniewicz, and Matt Foley over at the Cisco Umbrella blog. They’re calling it the “Seamless” campaign due to that word being used in the response from the gate (see Figure 1 and Figure 2). Just like with Malwarebytes they too found that this campaign was heavily targeting Canadian hosts and dropping Ramnit banking malware as its payload.

Further reconnaissance showed that there were numerous open ports on 194.58.38.64:

Post-Infection Traffic

Upon execution of the malware payload the host made numerous DNS queries:

Domain

Address

Country

fbtsotbs.com

npcvnorvyhelagx.com

87.106.190.153

Germany

mrthpcokvjc.com

notalyyj.com

185.118.66.84

Russian Federation

ctiprlgcxftdsaiqvk.com

aofmfaoc.com

34.194.213.50

United States

wgwuhauaqcrx.com

87.106.190.153

Germany

fkqrjsghoradylfslg.com

doisafjsnbjesfbejfbkjsej88.com

bheabfdfug.com

185.156.179.126

Russian Federation

sinjydtrv.com

The malware then used the following Port/Protocol to contact these hosts:

IP Address

Port

Protocol

Domain

Country

185.156.179.126

443

TCP

bheabfdfug.com

Russian Federation

34.194.213.50

443

TCP

aofmfaoc.com

United States

87.106.190.153

443

TCP

wgwuhauaqcrx.com

Germany

185.118.66.84

443

TCP

notalyyj.com

Russian Federation

These events triggered the following rules on my IDS:

ET TROJAN Win32/Ramnit Checkin

MALWARE-CNC Win.Trojan.Ramnit variant outbound detected

I then found my infected host making A LOT of ARP requests to IP addresses in its subnet. This traffic was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 request caused the following ET rule to trigger:

You will find the hashes for the files below, as well as the malicious artifacts which are zipped and password protected with “infected”. The malware samples can be downloaded from the Hybrid-Analysis reports.